Irule to send client ip to SPLUNK Server

Question

Hello All.&nbsp;
I am currently using "x-forwarded-for" to send client  ip address to the backend server. But that doesn't really help our security team to have visibility on the client ip address or user data.  
&nbsp;
I am trying to create irule which can send client ip address to SPLUNK server for client  ip address visibility on splunk (for both http adn non-http traffic).&nbsp;
can any body share irule for sending client ip address plus user data to splunk server for both http and non-http traffic?&nbsp;

only1masterbla1 · Answer

You could use HSL (high speed logging)
https://devcentral.f5.com/wiki/iRules.HSL.ashx
https://devcentral.f5.com/wiki/iRules.HSL__send.ashx&nbsp;
example below:&nbsp;
when CLIENT_ACCEPTED {
   set hsl [HSL::open -proto UDP -pool syslog_server_pool]
}
when HTTP_REQUEST {
    Log HTTP request as local7.info; see RFC 3164 Section 4.1.1 - "PRI Part" for more info
   HSL::send $hsl "&lt;190&gt; [IP::local_addr] [HTTP::uri]
"
}&nbsp;

Forum Discussion

Irule to send client ip to SPLUNK Server

1 Reply

Welcome! a la Communidad DevCentral LATAM de F5!

The New F5 Certified BIG-IP Administrator Certification Exams Now Live

Recent Discussions

Issue on connection limit

Wireshark Plugin for TLS

F5 Distributed Cloud Services Simulator Connect

F5 CIS -> NGINX Plus Ingress Controller Integration

Catch Dynamic CRL Errors and Return Friendly Page

Related Content

Setting up F5 Telemetry Streaming with Splunk Cloud

Get actual client ips in splunk

How I did it - "Visualizing Data with F5 TS and Splunk"

F5 MCP(Model Context Protocol) Server

Client vs Server SSL profile

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS